IFSBook Cover

Author Page:

Inside the Windows 95 File System

This is the place to come to get updates to the book. Here are some links to information on this page:

 

What's in this book?

Inside the Windows 95 File System walks you through the inner workings of the Windows 95 file system - it picks up where the official Microsoft documentation leaves off. For a complete run-down of the book's contents, see the chapter summary which gives one or two sentence descriptions of each chapter and the diskette contents which lists the utilities and drivers which you get on the companion diskette.

Some additional information is also available at the O'Reilly website. Here are some links:

Corrections to the first edition.

On page 71:
the value of VWIN32_DIOC_DOS_INT25 should be 2 and the value of VWIN32_DIOC_DOS_INT26 should be 3; they were reversed.

Updates to the book contents.

Checksum of alias directory entries.

Directory entries come in longname and shortname (alias) forms (see pages 179-180). Each longname directory entry contains a checksum byte which is computed on the alias entry. The checksum provides a means for reconciling a longname entry with its corresponding alias entry. Here is the precise algorithm for computing this checksum:

   ;
   ; On entry:
   ;   AL = 0
   ;   ESI points to 11 character filename
   ;
   _ComputeChksum    Proc Near
     mov   ah,0bh              
   nxtchar:
     ror   al,1                
     add   al,byte ptr [esi]   
     inc   esi                 
     dec   ah                  
     jnz   short nxtchar        
     retn

Determining starting cluster for FAT32 directory entries.

You can visualize the FAT32 File Allocation Table as an array of 32-bit unsigned values. Each unsigned value is an index to the next value in the array. These index links form a chain; the chain ends when the indexed value is 0xffffffff. Each array value corresponds to a cluster, the unit of disk space allocation.

The starting point for a cluster chain is specified in a shortname or alias directory entry structure (see page 179), which is shown below:

typedef struct _DIRENTRY {
  
  /* base name */
  char  deName[8];
  
  /* extension */
  char  deExtension[3];
  
  /* file or directory attributes */
  BYTE  deAttributes;
  
  BYTE  deReserved;
  
  /* Win95 - number of 10 msec intervals in 2 seconds */
  BYTE  deCentiSeconds;
  
  /* Win95 - creation time */
  WORD  deCreateTime;
  /* Win95 - creation date */
  WORD  deCreateDate;
  
  /* Win95 - last access date */
  WORD  deLastAccessDate;
  
  /* FAT32 - high word of starting cluster */
  WORD  deEAhandle;
  
  /* last modification time */
  WORD  deModifyTime;
  /* last modification date */
  WORD  deModifyDate;
  
  /* starting cluster of the file or directory */
  WORD  deStartCluster;
  
  /* size of the file in bytes */
  DWORD deFileSize;
  } DIRENTRY; 

(Thanks to Anthony Naggs for info on the time & date fields.)

For FAT12 and FAT16 File Allocation Tables, the member deStartCluster is sufficient to represent the start of a cluster chain, since for these FATs, the number of clusters does not exceed 0xffff. A FAT32 cluster number needs 28-bits of storage (the upper four bits are masked off). The additional 12-bits of information are stored in deEAhandle, another 16-bit field. Thus to locate a starting cluster for a FAT32 directory entry, the required expression is this:

(deEAhandle << 16) + deStartCluster

Updates to the companion diskette.

  • Diskdump, Version 1.1 source and executable (30K).
    Win32 console app which dumps FAT disk data structures.
    Download

Chapter summaries.

This book contains fourteen chapters and four appendixes:

Chapter 1, From IFSMgr to the Internet, introduces and provides an overview of IFSMgr. MultiMon, is used to watch the Netscape web browser load and surf the Internet.

Chapter 2, Where Do Filenames Go?, traces the path of filenames, UNC names, and device names as they pass through the file system.

Chapter 3, Pathways to the File System, examines the mechanisms that the kernel (VMM) uses to allow DOS, Windows 3.x, and Win32 programs access to IFSMgr.

Chapter 4, Win32 File APIs and Their Kernel32 Objects, reveals how the Win32 APIs create Kernel32 file objects and how file object services ultimately become Interrupt 21h requests.

Chapter 5, The "New" MS-DOS File System, shows that the MS-DOS interrupt interfaces are still supported but now they are mostly implemented in IFSMgr's ring-0 code.

Chapter 6, Dispatching File System Requests, looks at the how I/O request packets are routed to file system drivers. Three key IFSMgr data structures are introduced: the ifsreq structure, the shell resource, and the fhandle structure. These data structures allow IFSMgr to call into the appropriate file system driver entry points.

Chapter 7, Monitoring File Activity, examines the use of file system hooks and looks at several example programs. IFSMgr_NetFunction and path hooks are also discussed.

Chapter 8, Anatomy of a File System Driver, looks at the details of the linkage between file system drivers and IFSMgr. It examines in detail how each type of FSD handles the mounting and dismounting operations. Two sample FSDs are described: MONOCFSD, a character FSD and FSINFILE, a remote FSD.

Chapter 9, VFAT: The Virtual FAT File System Driver, reviews the FAT16 file structure and contrasts it with that of FAT32. Some implementation details of VFAT are examined including, initialization and registration, mounting a volume, opening a file, and locating a directory. Some basic IOS data structures and services are introduced.

Chapter 10, Virtual Memory, the Paging File, and Pagers, shows how the paging file is accessed via IFSMgr. The use of each of the system pagers is also explored.

Chapter 11, VCACHE: Caches Big and Small, describes the VCache services and data structures. Many undocumented features are described here.

Chapter 12, A Survey of IFSMgr Services, categorizes and enumerates all IFSMgr services. It provides undocumented details on heap management, event management, and path parsing services.

Chapter 13, VREDIR: The Microsoft Networks Client, looks at how the redirector interfaces with other network components. The NetBIOS and SMB protocols are introduced and these protocols are traced with MultiMon to see how remote file system requests are handled. The CIFS protocol is contrasted with the SMB protocol.

Chapter 14, Looking Ahead, explores the differences between the Windows NT and Windows 95 file systems. The impact of WDM is also assessed.

Appendix A, MultiMon: Setup, Usage, and Extensions, describes how to install and use MultiMon, a Windows 95 internals snooping tool. A sample extension driver is also described.

Appendix B, MultiMon: Monitor Reference, is a reference for the set of monitor drivers which accompany the book. These include file system, Winsock, DeviceIoControl, NetBIOS, SMB, and other monitors.

Appendix C, IFSMgr Data Structures, provides typedefs and descriptions of some key (and undocumented) IFSMgr data structures.

Appendix D, IFS Development Aids, describes four tools for VxD writers using the DDK including IFSWRAPS, a library of all IFSMgr services, and DEBIFS, a debugger "dot" command for examining IFSMgr data structures.

 

Contents of companion diskette.

All of the programs and drivers on the companion disk come with complete source code. These include:

MultiMon and monitor drivers - a Windows 95 internals snooping tool

Sr - utility which dumps IFSMgr's local and remote volume data structures

Fh - utility which dumps IFSMgr's data structures for a volume's open files

Sample file system hook VxDs - sample VxDs which show techniques for calling into FSDs from a file system hook

MonoCFSD - a character file system driver for a monochrome display adapter

FSinFile - a remote file system driver which implements a file system within a file

DumpDisk - utility which displays important FAT16 & FAT32 structures

Pagers - utility which displays the system pagers

Chentry - utility for removing leading underscore on VxD's export name

Header Files for File System Development - supplements to the DDK headers

IFSWraps - a 'C' callable library of all IFSMgr services

DebIFS - a debug command for use with WDEB386 or SoftICE